SQL Injection Fools Speed Traps And Clears Your Record

Typical speed camera traps have built-in OCR software that is used to recognize license plates. A clever hacker decided to see if he could defeat the system by using SQL Injection…

The basic premise of this hack is that the hacker has created a simple SQL statement which will hopefully cause the database to delete any record of his license plate. Or so he (she?) hopes. Talk about getting off scot-free!

The reason this works (or could work?) is because while you would think a traffic camera is only taught to recognize the license plate characters, the developers of the third-party image recognition software simply digitize the entire thing — recognizing any and all of the characters present. While it’s certainly clever, we’re pretty sure you’ll still get pulled over and questioned — but at least it’s not as extreme as building a flashbulb array to blind traffic cameras…

What do you guys think? Did it work? This image has been floating around the net for a few years now — if anyone knows the original story let us know!

111 thoughts on “SQL Injection Fools Speed Traps And Clears Your Record

  1. If this works, I will laugh my head off. Not only does it attempt to drop a table, it attempts to drop the ENTIRE DATABASE. Given the structure of the injection string, it would also appear that the person not only knew the structure of the table and database, he/she also knew the format of the actual SQL statement that was doing the injection! (IF it’s real, of course)

  2. It could work. Every once in awhile I’ll run into a spammer that offers automatic removal of email addresses. I feed into the field “*@*.com” to see what will happen.

  3. I don’t think it’s going to work. I work a lot with check image processing (similar to mobile deposit on your phone) and when images are captured by a camera, the first thing done is finding the object you are trying to read. In my case, it is a check, so we find the edges in the image and then “guess” what the check is by finding 4 edges that make a rectangle and could match the aspect ratio of a check. This gives us the values we need to then make the check “flat” in the image so that character recognition is easier. I am sure that license plate recognition works the same way. His banner certainly does not match the aspect ratio of a license plate. Novel idea, but I think it will always be a just a novelty :)

    1. So. What you are saying is that we could make a border around the plate that would add an extra number or offset a number by tricking the system to see a false start/end which would cause a failure to properly read the plate? Sounds kind of easy to fool.

      1. I think it doesn’t have to be in a car. If the statement was included inside a rectangle with the same aspect ratio, and maybe in the same format the ocr expects to read… And one comes cluster to the camera, it would be more readable. And it has chance to work because the ocr will search database to query the register, that’s in this time that the injection occurs. Unless it only queries only in the correct plate format.

  4. Can’t work. Most ANPR software are looking for a short number of char to read depending of the type of plate expected. For exemple in France an ANPR will look for 7 or 9 char , not more. Everything above that will be read by the OCR but not saved to the DB.

    1. Two more points :
      ANPR searching fo rectangle in image to know where to fin char (won’t work here)
      Most of ANPR (at least good one) works with IR light , so printed paper won’t work ::)

    2. Which then begs the question, what could you paint on either side of your real number plate to cause the OCR to fail? Ideally without being so obvious that police pulled you over.
      Does ANPR use visible light, or IR? If it’s IR you could paint ON the plate and it wouldn’t be visible to humans.

  5. One of my co-worker says it doesn’t work. And i’m pretty sure he’s right. He saws that years ago on a french website (yes it’s a french crappy car). There is “prepare statements” in order to avoid anything like that. Brilliant idea however and it looks fun.

          1. GM makes three times the amount of cars that Renault makes, and I will make fun of my crappy Saturn any day. Also, you should double check your “4th biggest” factoid.

            Even if it was the number 1 producer, that doesn’t mean anything. Case in point: Tata everything they make is crap and yet they are the most popular company in India.
            People will buy what is cheapest a lot of times. Of course something that is cheap is probably crappy.
            But it is true that making fun of the French is as obnoxious as how they make fun of us all the time.

          2. @mikethezipper Renaults are among the best selling cars, and the most used car brand in Europe, sorry we dont care for chevy/ford pickups the size of a friggin boat and still unable to protect their driver, to each their own ay?

    1. SQL prepare statements only work if the programmer was wise enough to use them. That is the whole point of the joke, that bobby tables would have been a non-issue if the programmer properly sanitized the input data.

  6. This was made in Poland – home of people who has minds set to hacking mode since birth – common thinking is that you need to know how to cheat absurdities of The System.

    The “TABLICE” in DROP DATABASE part means “number plates”.

    This picture is just a joke, of course.

      1. There is a significant culture for it. Most of the best lockpickers and safecrackers in the world are from that general region. Dutch are even more strongly suited. It is just the way the culture is over there. Like In the US people tend to value independent action, or at your house, where everyone is an asshole.

      2. Mike, why you are asking about polish people when he’s talking about Polish people? :) The latted do have innate distrust of authority and rules and knack to invent new ways of circumventing the system. I suppose that over a hundred years under foreign rule, 5 years of Nazi occupation, and 50 years of communism does that to people…

  7. I can tell you I have a coworker who has an injection on his license plate. He thought it was really clever at the time. He’s been pulled over twice since and both times the cops couldn’t run the plate. Once he was detained for a period because the plate didn’t come up in the system and they thought it was stolen. The last time he was up for renewal he couldn’t do it at the DMV.

      1. Don’t want to give his plate number out, but it starts with a double tic. It’s supposed to be illegal to have multiple special characters here, so they should never have issued the plate in the first place. I suspect it went through because it failed to register as a “bad” combination. The cops obviously have no clue. The first time running it allegedly crashed the MDT application on the laptop. The second time it just didn’t resolve to a valid plate and came back as “no record found”. Of course the cop just assumed that meant it wasn’t a valid plate, probably because it was stolen previously. He had to manually call it in, which took a while and the DMV finally just said they couldn’t figure out what was going on so they eventually let him go. In both cases they didn’t write a ticket because they couldn’t run the plate, so I guess it was a win. Apparently it wasn’t too much hassle, because he still has the plate today.

  8. I can tell you that this picture was taken in Poland (you can see ‘PL’ written at the beginning of the real licence plate).

    Also “ZU O666” can be interpreted as “ZŁO 666” (pronounced the same), which means “EVIL 666”.

    The database in the query is called called “Tablice” which means “[licence] plates” in Polish.

  9. As everyone else is say, yes this is old. Also someone on Twitter mentioned that it’s been thoroughly debunked.

    But click through and read the article that is linked. He makes a really good point about systems that take automatic input like this license plate scraper, or airline baggage tag scanners. Are these systems which don’t allow keyboard input being tested for injection attacks?

  10. Without going all the way to SQL injection you could imagine putting stickers with lots of alphanumeric characters the same size and shape as the license plate. That way the system wouldn’t be able to tell what the plate is amongst all the gibberish.

  11. As others already stated none of the ANPR systems on the market should read this as a plate. Mainly because the plate has invalid dimensions and by far to many characters. But certainly sometimes they will at least partially read it!

    Concerns about reflection in IR range are only an issue at night. At daytime even IR-only systems will read non-reflective items. Recognition rate will drop but reading is still possible and will work in a lot of cases. Furthermore such systems will regularly read text from banners on trucks by accident from time to time even tough these banners are not designed to be reflective in IR-range.

    Syntax checks for licence plates are based on a good guess because they may not be unique when handling many different countries which is the default case in such systems most of the time. So you can’t throw away the plate if syntax doesn’t match any known syntax. You will therefor end up with funny readings from time to time.

    1. There was a guy in New York City who got NOTAGS as a vanity plate. Kept getting fines for not having a license because stupid meter readers and stupid DMV people would either write the plate data in the wrong spot or if it was in the right spot on the form they wouldn’t pay attention to where on the form NOTAGS was written. He finally gave up combating stupidity and got something different.

      Right now there’s a guy in Florida who has never been to Miami yet has received at least one ticket from that city. He has a pickup truck. Someone in Miami has a car with a plate number that is the same as his except for an O, 0 or Q. I don’t recall which character is on his plate, but the stupid idiots at Miami DMV refuse to kill the ticket. The traffic camera photo was taken in either the morning or evening and is too grainy to make out whether or not the suspect character is a Q or not.

      You’d think that once shown the difference between a pickup truck and a car, they’d just forget it, and go to their database and search for a CAR, registered in Miami, with a plate that’s almost but not quite exactly like the one they mistakenly sent the ticket to.

  12. I doubt it would work. What’s more, if any actual cop saw that on the road, he could pull him over for not displaying proper plates. I’d bet the fine for that is more than the speeding fine would be.

    1. And finally somebody states the obvious.
      Reading the comments, that’s what I kept thinking. None of their arguments matter, because this person is going to get pulled in a matter of hours anyway.

  13. I would reckon that ALPR systems have error checking like others have said for “does plate have proper number of digits” and “does plate have proper characters in string” types of gotchas. I would also imagine that they would capture an image of the cars they can’t read for further investigation, if not for criminal activity, then for troubleshooting data. Capturing the plate to text and databasing it is one part of the system, they do keep the actual pictures as well. This is like getting a plate that says 1111111 to commit a crime because its hard to tell if its 1111111 or IIIIIII – but you’ll still get busted every time because of the pattern is so unique (that might actually be in a xkcd strip as well). Try driving this past the 5-0 and see what happens…

    1. To prevent such kind of error, polish license plates have AAA BBBB or AA BBBBB format, where AAA is prefix for city (only known prefixes, even for “custom” plates) and BBB are only non-similar alphanumerics. In B section there can be no uppercase i, lowercase L, only 1. The same with O/0, there can be only 0.

  14. Stupid… you are better off just removing your license plate. I doubt any programmer would be dumb enough to not do any type of variable validation before running an SQL command. They probably removed special characters from the OCR script too, in order to make recognition faster by narrowing possible values.

    Funny though.

    1. You would be surprised. At last count only 26% of programmers have any secure development training and of those only a tiny fraction bother to do it. They get paid the same and are not legally liable like real engineers are, so why should they care? Security is hard, thus why so many crimes succeed and so many identities stolen.

  15. In Colorado we do have traffic cams at various intersections, but there is an old law in place that a lot of residents aren’t aware of:

    Traffic violations must be served to you by a physical public servant.

    This means if you receive one of these traffic cam tickets in the mail, you can ignore it and you will not suffer any penalty. Sadly a lot of folks actually pay for them, even worse that the local authorities are allowed to “scam” residents in this manner.

    1. If you broke the law by speeding, the fact there’s an old law that works in your favor to get around it, doesn’t make it a “scam” for them to try to charge you.

    1. You know, if you can read a licence plate in day light, a standard camera will take an equally legible photo, and an expensive traffic camera will take an excellent one. If you can read it through a blurry plate cover, so will the camera, and even if it cant, it will flag it for a human to examine.

      Furthermore, if such things were effective, cops would be taught to watch for them, and they would pull you over and ticket you.

  16. A lot of people around the world have hacked the actual cameras themselves. Common tools employed include flaming tires, sticking a post-it note on the lens, spraypaint (for the easy-to-reach units), or paintball guns, hacksaws, crowbars, axes, and ramming them with a sturdy front bumper to knock them over (for the ones on tall poles). Each camera costs a ridiculous amount of money, so don’t get caught defending yourself from a government-approved mugging.

    If the Supreme Court takes the case this time, these traffic scameras might be outlawed in the U.S. (like they should be), making the issue moot: http://www.thenewspaper.com/news/43/4376.asp

    Failing that, somewhere around 90% of the municipalities where they’ve been brought to on a vote they are outlawed by a very substantial margin (and the incumbents who initially approved them tend to be replaced as well).

    In the meantime, more anti- Big Brother tech please! Like how do we jam the RF data feed of those automatic plate readers that are popping up all over the place without disrupting other RF-dependent activity (such as listening to the radio)?

    1. While they’re terrible systems, a lot of those actions sound like vandalism.

      This thing is slightly better aligned than a captcha, with such poor legibility, I don’t know if a machine vision system can get that right.

  17. ” it opens many new doors for mischievous and malicious attack”

    like allowing a hackers movie style attack on an individual.

    just like the hackers in the movie set up richard gill as a criminal and eventually registered him as dead the hack here could allow you to be able to take a picture of the plate of someone you have a vendetta or grudge and submit it along with a photoshopped image of their car on the road and rack up their fine tab.

    the only problem i see with that is you have to make sure the person uses that road anyways or they could argue ” i never was on that road”.

  18. License plate recongnition software is specifically designed for license plates. It’s not your average OCR software. It’s capable of car-specific things like recognizing a plate numbers under the layer of mud.
    Shortly, it would not recognize anythings that isn’t a license plate. This pic is just the average SQL-injection joke.

  19. How ridiculous. Funny idea, but ridiculous. Even if it did work, there’s little doubt of some sort of back-up process existing at the government’s (or contract vendor’s) data center. They love to spend money of stuff.

    Database of people they have to pay money too == not so important … but, database of people that owe them money == more than likely backed up somewhere.

    Also, whether it worked or not, wouldn’t this be considered an attempt at illegal cracking? (On this site, I dare not call it what the news calls it.)

    I think it would be in the States… “unauthorized access”, “intentionally, without authorization”, “knowingly … program, information, code, or command … result of such … intentionally causes damage”

    http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#Criminal_offenses_under_the_Act

    1. There were construction plans back in the ’80s for a system like this that were advertised in the electronic magazines. I think I still have them. It had a hall effect sensor that mounted on your driveshaft and an under-dash control box with a digital display. You could set it to either display a percentage of your actual speed or a speed you dialed in. A Gunn diode was then used to transmit the signal. I supposed it was outdated when laser systems came into use.

  20. I worked on these systems, won’t work for multiple reasons. It’s not in the normal detection areas, the text does not fit in any license plate regular expression.

    It will get you arrested.

    1. Many of them use regular (fairly high end) consumer type cameras. So, you can bet it’s got the IR filter in place.
      But I think with some of the higher wattage(3/5watt) IR LED’s, you could still do this, just enough to blur the edges of the plate, without looking like you’re doing anything.

Leave a Reply to mattCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.